Group description: PittyTiger

PittyTiger, Group G0011 | MITRE ATT&CK® ATT&CK v19 will be released April 28th! Check out this blog post for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release. Home Groups PittyTiger PittyTiger PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control. [1] [2] ID: G0011 Version : 1.2 Created: 31 May 2017 Last Modified: 25 April 2025 Version Permalink Live Version ATT&CK ® Navigator Layers Enterprise Layer download view Techniques Used Domain ID Name Use Enterprise T1588 .002 Obtain Capabilities : Tool PittyTiger has obtained and used tools such as Mimikatz and gsecdump . [1] Enterprise T1078 Valid Accounts PittyTiger attempts to obtain legitimate credentials during operations. [1] Software ID Name References Techniques S0032 gh0st RAT [1] [2] Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Command and Scripting Interpreter , Create or Modify System Process : Windows Service , Data Encoding : Standard Encoding , Deobfuscate/Decode Files or Information , Dynamic Resolution : Fast Flux DNS , Encrypted Channel : Symmetric Cryptography , Encrypted Channel , Hijack Execution Flow : DLL , Indicator Removal : Clear Windows Event Logs , Indicator Removal : File Deletion , Ingress Tool Transfer , Input Capture : Keylogging , Modify Registry , Native API , Non-Application Layer Protocol , Process Discovery , Process Injection , Query Registry , Screen Capture , Shared Modules , System Binary Proxy Execution : Rundll32 , System Information Discovery , System Services : Service Execution S0008 gsecdump [1] OS Credential Dumping : Security Account Manager , OS Credential Dumping : LSA Secrets S0010 Lurid [2] Archive Collected Data , Encrypted Channel : Symmetric Cryptography S0002 Mimikatz [1] Access Token Manipulation : SID-History Injection , Account Manipulation , Boot or Logon Autostart Execution : Security Support Provider , Credentials from Password Stores , Credentials from Password Stores : Credentials from Web Browsers , Credentials from Password Stores : Windows Credential Manager , OS Credential Dumping : DCSync , OS Credential Dumping : Security Account Manager , OS Credential Dumping : LSASS Memory , OS Credential Dumping : LSA Secrets , Rogue Domain Controller , Steal or Forge Authentication Certificates , Steal or Forge Kerberos Tickets : Golden Ticket , Steal or Forge Kerberos Tickets : Silver Ticket , Unsecured Credentials : Private Keys , Use Alternate Authentication Material : Pass the Hash , Use Alternate Authentication Material : Pass the Ticket S0012 PoisonIvy [2] Application Window Discovery , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Boot or Logon Autostart Execution : Active Setup , Command and Scripting Interpreter : Windows Command Shell , Create or Modify System Process : Windows Service , Data from Local System , Data Staged : Local Data Staging , Encrypted Channel : Symmetric Cryptography , Execution Guardrails : Mutual Exclusion , Ingress Tool Transfer , Input Capture : Keylogging , Modify Registry , Obfuscated Files or Information , Process Injection : Dynamic-link Library Injection , Rootkit References Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015. Villeneuve, N., Homan, J. (2014, July 31). Spy of the Tiger. Retrieved September 29, 2015. × load more results